Full Report
Third-party contractor compromise exposed health information and insurance billing passwords
Analysis Summary
# Incident Report: Third-Party Social Engineering Breach at AdaptHealth
## Executive Summary
AdaptHealth, a major US home medical equipment provider, experienced a data breach after cybercriminals used social engineering to compromise a third-party contractor. The attackers gained access to cloud environments and internal patient management systems, exfiltrating sensitive patient data and insurance billing passwords. The incident was discovered after the threat actor contacted the company directly to disclose the theft.
## Incident Details
- **Discovery Date:** June 15, 2026
- **Incident Date:** June 2026 (exact start date unspecified)
- **Affected Organization:** AdaptHealth
- **Sector:** Healthcare (Medical Equipment/Services)
- **Geography:** United States (National)
## Timeline of Events
### Initial Access
- **Date/Time:** Early June 2026 (implied)
- **Vector:** Social Engineering
- **Details:** Attackers "sweet-talked" a third-party contractor, gaining their login credentials to access AdaptHealth’s cloud environment.
### Lateral Movement
- **Details:** From the initial contractor account, attackers successfully pivoted into internal business applications, document storage platforms, and external electronic health record (EHR) system portals.
### Data Exfiltration/Impact
- **Details:** The threat actor exfiltrated Protected Health Information (PHI), Personally Identifiable Information (PII), and passwords specifically associated with insurance billing portals.
### Detection & Response
- **Discovery:** June 15, 2026. The attacker proactively contacted AdaptHealth to disclose the theft.
- **Response Actions:** Immediate activation of incident response protocols, account suspension, and SEC disclosure filed on June 27, 2026, after determining the incident's materiality.
## Attack Methodology
- **Initial Access:** Social Engineering (targeting a third-party contractor).
- **Persistence:** Utilization of valid (stolen) contractor credentials.
- **Credential Access:** Stole insurance billing passwords during the breach.
- **Discovery:** Identified internal patient management and EHR portals once inside the cloud environment.
- **Collection:** Accessed internal document storage and patient databases.
- **Exfiltration:** Data exfiltrated to attacker-controlled systems; attacker later used this for direct contact/extortion.
- **Impact:** Unauthorized access and theft of sensitive medical and administrative data.
## Impact Assessment
- **Financial:** Pending investigation, but determined to be "material" for SEC reporting. Includes costs for mitigation and legal compliance.
- **Data Breach:** PHI and PII of an undisclosed number of patients; insurance billing passwords. SSNs and payment details are currently excluded from the scope.
- **Operational:** Disruption for credential resets and implementation of new access controls across the cloud environment.
- **Reputational:** Public disclosure of a breach affecting a company serving 4.2 million patients across 50 states.
## Indicators of Compromise
- **Network indicators:** [None disclosed in report; would typically include IP addresses used by the contractor from unusual regions]
- **File indicators:** [None disclosed]
- **Behavioral indicators:** Unusual access patterns from a contractor account to sensitive EHR portals and document storage.
## Response Actions
- **Containment:** Disabled the compromised contractor’s user account.
- **Eradication:** Reset credentials for affected systems and insurance billing portals.
- **Recovery:** Implemented additional access controls to prevent similar social engineering pivots.
- **Mitigation:** Took "steps intended to mitigate the risk of dissemination" of the stolen data (details not disclosed, potentially involving negotiations or data monitoring).
## Lessons Learned
- **Third-Party Risk:** Contractors remain a high-value target for attackers looking to bypass primary perimeter defenses.
- **Vulnerability to Social Engineering:** Human elements (contractors) can be the weakest link even when technical cloud security is present.
- **Materiality Timing:** It took approximately 12 days from discovery to determine the breach was "material" for SEC reporting.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure phishing-resistant MFA (e.g., FIDO2 keys) is mandatory for all third-party contractors accessing internal cloud resources.
- **Least Privilege:** Restrict contractor access to the specific applications required for their role, rather than broad access to EHR portals and document storage.
- **Security Awareness Training:** Extend social engineering awareness training to third-party partners and vendors.
- **Monitoring:** Implement anomaly detection for contractor accounts to flag access to sensitive data platforms outside of normal business hours or expected scopes.